Manufacturer claims that passwords in Acrobat 9 are easier to crack than in version 8
Russian manufacturer of password recovery software Elcomsoft claims to have discovered a weakness in the password verification system use in Adobe Acrobat 9 that makes password recovery much easier. According to the product description for Version 5.0 of Advanced PDF Password Recovery (APDFPR), because of this weakness, administrators should be able to recover passwords for encrypted Adobe 9 files on their networks 100 times faster than with the previous version.
Manufacturers have been using verification systems to prevent brute force and dictionary attacks for a long time. These systems don't just hash the password once with MD5, but several times – which requires a lot of computing time to crack. The method has been used successfully in applications such as MS Office 2007. Although Adobe has implemented it in all versions of Acrobat since Acrobat 5, Elcomsoft has informed heise Security that the password protection implemented in version 9 is different.
Adobe 9.0 uses the SHA-256 algorithm – considered more secure than 128-bit MD5 – but the mechanism for verifying the password is so weak that even passwords with eight characters are no longer secure. The larger bit-lengths are not enough to provide the level of security available with the previous version, Acrobat 8.0.
- ElcomSoft discovers security vulnerability in Adobe Acrobat 9.0, announcement from Elcomsoft